Category Archives: Risk Management

I propose that ERM is worth doing and doesn’t have to be so complex if you simply “begin with the end in mind,” as Stephen Covey says in The 7 Habits of Highly Successful Security Leaders. Or would have said if he’d written such a book.

The basis of my thoughts is COSO’s ERM framework (link goes to a PDF of the Executive Summary). Here is the end to keep in mind as you begin your ERM efforts, taken from COSO’s work: